#######################################################################
Luigi Auriemma
Application: Genecys
http://www.genecys.org
Versions: <= 0.2 and current CVS
Platforms: *nix and *BSD
Bugs: A] tell_player_surr_changes buffer-overflow
B] parse_command NULL pointer crash
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
Genecys is an open source MMORPG project.
#######################################################################
The function tell_player_surr_changes is affected by a buffer-overflow
which could allow an attacker to execute malicious code.
The problem is caused by the usage of sprintf and strcat on buffers of
256 bytes.
>From server/player.c:
int tell_player_surr_changes(event_t *event)
{
pl_known_t *known, *knext;
object_t *obj;
char buf[256], buf2[256],b2[40];
obj = event->initiator;
for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext) {
knext = TAILQ_NEXT(known, next);
if (!event->action)
known->lu--;
if (known->bits > 0) {
sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid));
if (known->bits & PLKN_NROF) {
sprintf(buf2, " nrof:%d", known->nrof);
strcat(buf, buf2);
}
if (known->bits & PLKN_STATE) {
sprintf(buf2, " st:%d", known->state);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAME) {
sprintf(buf2, " nm:\"%s\"", known->name);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAMEPL) {
sprintf(buf2, " nmp:\"%s\"", known->name_pl);
strcat(buf, buf2);
}
if (known->bits & PLKN_MODEL) {
sprintf(buf2, " mdl:\"%s\"", known->model);
strcat(buf, buf2);
}
...
Note: has not been possible to test this bug in practice due to some
problems while running my test server.
The function which parses the commands sent by the client doesn't check
the return value of a strchr call used for parsing the commands and
their values (CMD:VAL).
If the attacker doesn't use the ':' char the server will crash due to
the access to a NULL pointer.
>From common/netparser.c:
pargs_t *parse_command(char **words, int *command, int count)
{
argtable_t *asp, dummy;
char *cp, *tmp, *p;
size_t span;
β¦
args = safer_malloc(sizeof(pargs_t)*numargs);
cur = 0;
for (i=1; i < count && words[i] != NULL && *words[i]; i++) {
span = strcspn(words[i], ":");
tmp = strchr(words[i], ':');
tmp++;
β¦
#######################################################################
http://aluigi.org/poc/genecysbof.zip
#######################################################################
No fix.
No reply from the developers⦠the game seems no longer supported.
#######################################################################
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/